[CentOS] Update on spam, postfix, fail2ban, centos 6

Fri Jun 15 21:56:07 UTC 2012
Bob Hoffman <bob at bobhoffman.com>

I have been using centos 6 in a virtualized system for a few months now.
Took a while to batten down the hatches with postfix, rbls, and to use 
fail2ban correctly.
The mailserver for my website(s) are located on the http server as 
well..an 'all in one' server.
DNS servers are separated.

My two sites, and their emails addresses (1 for each) have been around 
for 10 and 15 years respectively.
One site was a business site, one was news and politics...both were very 
busy at one point, thus 'on the radar'
of hackers and spammers.

I decided to see what I could do with my system to prevent hacks and 
spams in regards to email and brute force attacks
on all systems except for my web apps (which are down right now and in 
development).

Fail2ban is really good at the brute force, assuming it is just one ip 
and not all attempts are at once. Thus it works on script kiddies
but I do not think it would work well on a dedicated hack attempt by a 
serious individual or group.

But I am using fail2ban to auto ban ips regarding spam.

As far as spam, very little gets through now. A few a day. Between 
blacklists, my own blacklist of commercial spammers, stringent
settings of postfix the actual spam that gets through is small. But it 
still gets through.

I was using fail2ban on attempts that numbered 3 or more that ended in 
5xx replies from my server. I would block for 10 minutes.
I found I was blocking about 800 ips a day on one server, half that on 
the other.
I did notice that there were a ton of attempts that were under 3. Lots 
of 2's and a ton of 1's.

So a couple weeks ago (not sure when I started) I decided to try 
blocking any 5xx reply by IP.
This is a private server and just my own mail comes to it, so I am not 
worried too much about false positives or other effects.

------------------------------------------------
So what happened?

The ips jumped up considerably, to 1,500 to 1,700 a day banned on one 
server, about 1000 on the other.
What is interesting in those numbers is they are constant. Every week 
day I can count on about 1500 banned ips on one, 1000 on
the other, give or take.

What really changed was the mail servers sending mail that got through 
the restrictions, but were sending to non existent addresses.
A majority (like 80%) were from yahoo. This was a sudden change. It was 
not like this before.
Yahoo spammed like crazy. And they got the mailserver ip banned.

10 to 20 emails a day from yahoo mail servers, going to non existent 
emails. Where before it would be one or two.
The yahoo mails got bigger every day until they started waning (probably 
due to ip banning).

The mail that actually got through all of this was 50% free mail (yahoo, 
msn/live, some aol, etc) Yahoo being the biggest.

Another thing I noticed. When I started adding domains to my 'blacklist 
of commercial senders', legitimate or not, I started to get yahoo
mails with references inside the mails to many of the illegitimate sites 
that were coming from the UCE's I had blocked.

It is quite interesting to watch this process. More interesting that no 
matter how strict or lax I make the system there will be the same
number of attempted mails sent to my server. (give or take a few hundred).

If I unban all the ips, which I did once, there was a one day bump up, 
then it leveled off to the same amount of individual attemtps
(not counting the same attempt being tried again).

I have 35,000 ips blocked right now and nothing changed...except yahoo spam.

Spamassassin I use, but only for level 10 or more spam...it is deleted. 
I found all of these over the last few months to be the kind
with attachments, probably viruses.

-------------------------------------------------------------------------
What Have I learned?

I have learned a large number of attempts are from ISP's and not websites.

I have learned that ISP's will not do anything at all, ever, about this. 
(someone trying to send 1 million mails a day might be suspicious,
but they ignore it)

I have learned a large majority of 'hosts' are technically challenged 
small business owners who have no sys admin knowledge.
Those hosts spew spam bots

I have learned the chinese have really taken a liking to play with my 
server, possibly for training purposes. My server is a hit in beijing
and some other province I cannot spell.

----------------------------------------------------------
What can be done?

Not much. If the isp's do nothing, and the technology is not available 
to datacenters and hosts, there is not much I can do at all.
Complaining to an isp or host would take 24 hours a day of messages, 99% 
which would be ignored.

There is a consideration for the scumbags that call themselves 
legitimate mailers, like vocus.com. They are in the US, as I am.
I am considering going to small claims for some of these spam attempts. 
I cannot use the can-spam act, since they are technically
not in violation.

However, I could use the logs and attempts, copies of emails and phone 
calls telling them to stop, and sue them
for a small dedicated denial of service attack, use of my bandwidth, 
harassment of my server and business.

Would I win? Probably. Would I ever get money from them? Most likely not.